Overview
Graymail detection identifies bulk, marketing, and newsletter emails that are not malicious but may clutter your users’ inboxes. Ocean Security continuously classifies these emails for all users. This page covers how to enable graymail filtering, configure the remediation folder, and control which users are in scope.Prerequisites
- Admin role required to modify settings
Enable Graymail Filtering
Remediation Folder
When graymail filtering is enabled, Ocean Security routes graymail to a designated folder or label. The available options depend on your email provider.- Microsoft 365
- Google Workspace
Under Move emails to, select the destination:
| Option | Description |
|---|---|
| Promotions | Moves graymail to the Promotions folder in each user’s mailbox. |
| Spam | Moves graymail to the Junk Email folder. |
Ocean Security automatically creates the destination folder or label if it does not exist. If it is deleted, Ocean Security recreates it to maintain routing.
Emails routed by graymail filtering remain searchable by your users.
Scope
By default, graymail filtering applies to all users in your tenant. To restrict filtering to specific mailboxes, click Advanced scope next to the remediation folder settings. This opens the Graymail filtering scope drawer with two options:| Tab | Behavior |
|---|---|
| All | Graymail filtering applies to all employees. |
| Include only | Filtering applies only to the mailboxes you specify. Add mailboxes separated by commas. |
Changes to users and groups may take up to 24 hours to be reflected. You can save and apply settings during this time.
User-Driven Sender Classification
Ocean Security learns from how your users handle their graymail folder. When someone manually moves an email into or out of the graymail folder, Ocean Security uses that signal to refine future classification for that sender — scoped to that individual mailbox.| Action | Effect |
|---|---|
| Your user moves an email into the graymail folder (Promotions or Graymail label) | Future emails from that sender are treated as graymail for that mailbox. |
| Your user moves an email out of the graymail folder to their inbox | Future emails from that sender are not routed to the graymail folder for that mailbox. |
These preferences are per-mailbox. If one of your users moves a sender to their inbox, emails from that sender are still routed to the graymail folder for other users in your organization.
Per-user preferences do not override Allow / Deny List rules you configure at the tenant level. A graymail-scoped Deny rule always routes emails to the graymail folder, regardless of individual user actions.
Processing Time: It may take up to one week for Ocean Security to fully process these manual actions and apply the updated classification to future incoming emails.
Verdict Scope (Allow / Deny List)
Each entry in the Allow / Deny List has a Verdict scope field that controls whether the rule affects all verdicts or only graymail classification.| Verdict scope | Behavior |
|---|---|
| Global | Default. Allow marks the email as allowed across all verdicts; Deny marks it as denied across all verdicts. |
| Graymail | Allow = emails from this sender are never classified as graymail (spam and malicious detection still applies). Deny = emails from this sender are always classified as graymail and routed to the remediation folder, unless already classified as spam or malicious. |
Graymail verdict scope does not override threat verdicts. A malicious or spam email will not be reclassified as graymail even if the sender has a Graymail Deny rule.
Read-Only Integration
If your Microsoft 365 or Google Workspace integration is configured in read-only mode, graymail detection runs in monitoring mode only. Enabling graymail filtering requires read-write integration permissions. To upgrade your integration permissions, contact your Ocean Security representative.Related
- Allow / Deny List - Create rules that apply only to graymail classification.